CORPORATE RESOURCES…

Automated Code Review

The Benefits Of Automated Code Review

According to the 2016 Verizon Data Breach Investigations Report, the top 9 multi-industry data breaches are the result of web application attacks (the most prevalent), POS intrusions, payment card skimmers, insider and privilege misuse, physical theft, cyber-espionage (a rising threat), crime-ware, denial-of-service-attacks, and miscellaneous errors (namely shortage of capacity, mis-delivery, and publishing errors). The Verizon report, however, prompted a cross-section of security experts in the IT industry to question the accuracy of its conclusions. It was argued that other vulnerabilities posed far greater risks for developers than those on the Verizon list, namely SQL injections, insecure direct object references, insecure authorizations, insecure password resets, insecure direct object references, and default credentials.

Despite the conflicting stances, one thing is clear: IT professionals must leverage a wide-range of cyber-security solutions to thwart data breaches. A comprehensive solution such as Kiuwan tackles these issues in the most thorough and comprehensive way.

In an automated code review, the benefits outweigh any so called disadvantages. Automated code analysis is an attractive option for developers because it allows an analytical review of the source code without the necessity of executing the program. Static analysis augments dynamic analysis and is more effective in the early development phases of software.

Essentially, it is useful for identifying specific vulnerabilities during the early stage of the SDLC (Software Development Lifecycle) process, the precise moment where it is more critical to address these problems. During the code-writing and implementation phase, automated code reviews can uncover security vulnerabilities before they have the potential to infect the rest of the development process.

As part of a comprehensive cyber-security solution, this method can aid in preventing the most devastating of cyber breaches. The benefits include:

the ability to identify syntax, logic, lexical, semantic, and run-time code errors. Common syntax errors include missing semicolons, undeclared variable names, unterminated strings, and unmatched parentheses. A syntax error means that a program cannot be translated by a compiler into executable code. When there are semantic errors, however, the compiler does translate the program into executable code, but the program does not work properly when it is run. Examples of semantic errors in C++ include infinite loops, dangling “else” clauses, off-by-one errors, missing compound statements, and misplaced code inside loops. Lexical errors, on the other hand, usually comprise illegal or prohibited characters at the beginning of a string. Many advanced static analysis tools can find these errors even before the execution phase of the program.

the ability to identify vulnerabilities before the execution of a program, thus decreasing the costs of fixing breaches later in the development process.

the ability to identify malicious embedded code in applications. For example, hackers can exploit the Domain Name System (DNS) to amplify denial-of-service attacks. They can also embed malicious code into DNS requests for the purpose of exfiltration or the illegal transfer of data.Some malware code authors or bot herders use FastFlux DNS hosting techniques to lease infected systems to Internet cyber-criminals. These bot herders develop what is known as bot software, which can be covertly installed into compromised systems. Once the software is installed, cyber-criminals can control the infected system through a remote command-and-control center. Developers can utilize full static code analysis to identify the malicious compressed codes and encrypted text strings in malware binaries to quickly detect and confirm malicious intent. Today, IT experts advocate the use of automated code reviews to identify malware and potential cyber breaches.

the ability to alert you of the use of anti-patterns in the code. Anti-patterns refer to design flaws in a program. Static code analysis that identifies anti-patterns in source code constructs is known as pattern-based static analysis. This type of analysis checks for code defects that can cause memory losses, and it ensures that developers have complied with industry coding standards and guidelines.

the ability to identify Cyclomatic Complexity, a measure of the complexity of a program. Cyclomatic complexity metrics assists developers in determining the number of logical paths that can be derived from a code structure. A high complexity metric number means that the application risks high error rates; such a metrics report would alert developers to the need to test all revealed independent path executions. Static metrics such as Cyclomatic Complexity allows developers to measure the viability and strength of an application at the coding level. Developers have at their disposal concrete measures to determine the security and effectiveness of their software applications.

To date, all indications point to the continued importance of static analysis as part of any comprehensive cyber-security solution.To all intents and purposes, the benefits of automated code reviews can hardly be over-emphasized.

Automated code review and manual code review

An effective code review within the software development cycle will save you a lot of time and money. There are two types of code reviews:

Manual code review. It is very effective in saving time and money in post-development phases, such as testing or software maintenance. Manual review is costly in resources and time and is not usually exhaustive. This means that on top of requiring additional high-profile programmers, it is usually only used in the most critical parts of the software and you cannot achieve full code coverage and of types of errors.

Automated code review. It has the same advantages in saving time and money as the manual review, but it is done by specialized tools. This means you get results in much less time and without having to hire additional programmers. The code review coverage is of 100% since the full code can be reviewed as many times as necessary. Automated code review tools are based on rules that scan the code for programming structures that allow for bugs or errors.

Advantages of automated code review

Code review is aimed at reducing software errors by supporting other areas such as unit testing, functional testing, or penetration testing to predict and detect security breaches.

“Adding code review into the development process can get software that is free of failures at 99%.”

Here’s a list of the advantages of performing automatic code reviews:

The complete code is analyzed very quickly. Usually, the programmers have the results in a few minutes.

It is a very interesting opportunity for programmers to learn and evolve professionally.

You can review thousands of types of errors of all types without having specialized staff in each area.

Security vulnerabilities are difficult to find with other techniques which include SQL Injection and Cross-Site Scripting.

It provides the exact source of the problem within the same source code, greatly facilitating the correction against errors detected in testing that later require a diagnosis.

It is only necessary to have the source code to carry it out, it is not necessary to have a runtime environment or data sets. This allows the revision of the code can be done in the initial stages of development and that corrections are performed effectively with very few resources.

It is possible to integrate the tools automatically with the repositories in the cloud so you do not have to dedicate any type of infrastructure and start having data and performance results from day one.

Kiuwan as an automated code review tool

Among its many features, Kiuwan offers:

Reports

Code metrics

Defects list

Defects muter

Historical evolution

Import and export different rulesets

Kiuwan integrated with GitHub

Kiuwan Code Review is a Kiuwan edition fully integrated with GitHub. Here is a list of special features:

- Synchronize the repositories you want to analyze.

- The first analysis of the code starts automatically when you synchronize the repository. So you get results in a few minutes.

- All the configuration is done automatically, although you can configure the rules model to choose the controls you want to pass.

- The analysis of the public repositories (open source) is automatized and free.

- From the moment the repository is synchronized, Kiuwan will monitor the changes in the repository and launch an automatic analysis every time a tag or new version is created.

- You will receive an email every time you finish an analysis so you can review the results.

- Badges with the level of security and quality of the application so you can place them in your Home repository to generate confidence about your code.

How to connect Kiuwan with GitHub

There are three simple steps to see your first results:

Go to https://www.kiuwan.com/codereview and click on the “Go with GitHub” button:

This will take you to your GitHub account to accept the permissions and authorize Kiuwan to access your GitHub account.

Select the repository you want to synchronize and the first scan will begin.

How does the analysis of a Github repository work?

As you will have seen in the previous section, once the repository is connected with Kiuwan, it will be analyzed automatically. Source code analysis is performed on Kiuwan servers. The service has a system of queues that distribute the work between the different servers and has two phases:

- Analysis phase of the source code: In this first phase the Kiuwan analyzers are involved and all the rules of the model are executed on your source code. At the end of this phase, the source code is removed from the Kiuwan servers and only the evidence of defects, metrics and locations where problems are found are stored.

- Phase of persistence and calculations: In the second phase, all the evidence from the previous phase is collected, prioritized, ordered and all metrics are calculated. All the information is persisted in our database so that it can be consulted with the screens.

Once the first analysis is complete, your repository is inside our GitHub repository monitoring system. When Kiuwan detects that you have generated a new version (tag) from your Git or from the GitHub screens, then a new analysis is generated and it enters the queue system.

With the passing of time, you can consult all the data of the tagged versions of your repository, even compare them with each other to find out which versions or corrected defects or vulnerabilities are introduced.

What results does Kiuwan provide?

- Security

Do you want to know how secure your application is? Here you can find a summary of your application security based in the objective vulnerabilities found in your source code. Your overall security rating, distribution of vulnerabilities by priority based on the impact those vulnerabilities may have in your application and the likelihood to be exploited, a ranking of the worse files and vulnerability types found. Along with all you need to know to decide how to prioritize your efforts to get more stars in your rating.

- Quality.

Find out the risk, global quality indicator and technical debt of your application covering several aspects like maintainability, reliability, efficiency, portability and of course security of your application based on metrics and defects found in your source code. THis aspects are aligned with the characteristics you need to measure in your application as recommended by the ISO 25000 standard.

- Files.

See all the details of the files with defects and vulnerabilities in your code. A comprehensive list of all files with the distribution of defects by priority.

- Defects.

Complete list of defects and vulnerabilities as found in your code. With details of the files where they were found down to the line of code. Contextual help to understand the impact of every defect with code samples to help you remediate them. lists of standards they affect including well known security ones such as CWE, OWASP, PCI-DSS and more. Estimation of effort to repair, so you can plan the best way to tackle improvements. In summary everything developers need to remove defects and vulnerabilities to reduce risk, technical debt and globally improve your application in all aspects.

- Badges.

The badges for GitHub that Kiuwan generates are the two that you can see in the image:

Security. This badge is interesting for users and developers who use your code to know in advance how secure it is. In addition, they will also be able to access Kiuwan to check if the detected vulnerabilities are a problem or are correctly neutralized.

Quality. This badge shows the overall quality level of the whole code. To elaborate this indicator, code review rules have been used for all the internal quality characteristics of the software: maintainability, reliability, safety, portability and efficiency. It provides very accessible information on whether the code is secure, reliable and easy to understand and modify.

You can display both badges directly in your repository Readme.md file. You just need to copy the badges code and paste it in your Readme.md file in GitHub.